Fedora Linux 37 update

Fedora Linux 37 is going to be late; very late. Here’s why. As you may have heard, the OpenSSL project announced a version due to be released on Tuesday. It will include a fix for a critical-severity bug. We won’t know the specifics of the issue until Tuesday’s release, but it could be significant. As a result, we decided to delay the release of Fedora Linux 37. We are now targeting a release day of 15 November.

Imperfect information

Most decisions happen with imperfect information. This one is particularly imperfect. If you’re not familiar with the embargo process, you might not understand why. When a security issue is discovered, this information is often shared with the project confidentially. This allows the developers to fix the issue before more people know about it and can exploit it. Projects then share information with downstreams so they can be ready.

Ironically, Fedora’s openness means we can’t start preparing ahead of time. All of our build pipelines and artifacts are open. If we were to start building updates, this would disclose the vulnerability before the embargo lifts. As a result, we only know that OpenSSL considers this the highest level of severity and Red Hat’s Product Security team strongly recommended we wait for a fix before releasing Fedora Linux 37.

Balancing time and quality

As the Fedora Program Manager, our release schedule is my responsibility. I take pride in the on-time release streak I inherited from my predecessor. We kept it going through Fedora Linux 34 in April 2021. In that time, we made big technical changes (like switching to Btrfs as the default for most variants) and kept each other going through a pandemic. I’m proud of what the community was able to accomplish under difficult circumstances.

But being on time isn’t the only factor. We know that you rely on Fedora Linux for work and for play, so quality is always a consideration. Knowing that we were going to delay for the OpenSSL vulnerability, the question became “how long”?

We make the “go/no-go” decision on Thursdays for a release the following Tuesday. This gives time for the images to update to the mirrors. The OpenSSL project team plans to publish the security fix about 48 hours before we’d make the go/no-go decision for an 8 November target. Factoring in time to build the updated openssl package and generate a release candidate, that gives us about a day and a half to do testing. That’s not enough time to be comfortable with a change to such an important package.

As a result, we’re giving ourselves an extra week so that we can be confident that Fedora Linux 37 has the same level of quality you’ve come to expect.

Was it the right decision?

Time will tell if we made the right decision or not. Today’s Go/No-Go meeting was lively and not everyone agrees that we should delay the release because of this. Like I said, we have little information to go on. It’s important to note that the decision was made as a team, and not the dictate of a single person. Fedora values collaborative decision making, and this is a good example.

When the details are released Tuesday, it may turn out we go “wow, that was not worth delaying the release.” But I think we made the best decision we could with the information we have available.

In the meantime, please join us November 4–5 for the Fedora Linux 37 Release Party. It will be a lot of fun, even if the release isn’t quite out yet.

New in Fedora

158 Comments

  1. Geoffrey Gordon Ashbrook

    Waiting is the right decision! Many thanks for following best practice. (Maybe that’s why Fedora actually works so well…)

  2. Tomasz

    We will appreciate next release even more when we wait for it and knowing that is fully ready is always 👍🏻

  3. Why rush? That’s the devil ‘s little plan. Take your time.

  4. Jamin Samuel

    Take time … relax and wait.

    Saludos desde Medellin – Colombia

  5. laolux

    Good decision. Should give the other two accepted blocker bugs also some more time to be resolved. Especially gnome calendar bug seems to be taking more time, given the recent (in-)activity on the corresponding gitlab issue.

  6. Marco Aldana

    Although we don’t like it, the right decision was made

  7. Grant Swinger

    Hey, at least you’re not Cloud-Imperium-Games late. They’re still working on Star Citizen years after it should have shipped.

    BTW, I’ve been running the beta for a while now and it’s rock solid. This will be a great release.

    • George

      On the other hand I rather wait for next years to get games like Squadron 42 and Star Citizen (PU) than the game they originally planned.
      As far as I know there is no alternatives for it either although there are some good space games available: DU, Starbase, ED, In The Black, …

      Yes, IMO Fedora team made a right decision.

    • madbananas

      I started to laugh so out loud here when I read your comment. I’ll make sure to share this beauty with my Org pals for a round of good laughs on behalf of C.-the-eternal-delayer-R. 😀

  8. João

    Sure thing, buddy. Take your time.

  9. David Frantz

    You don’t need to explain yourself with so much detail. Simply state that an external project has the release on hold.

    As for not liking it as some have said, I rather like that Fedora has the integrity to put a release on hold. Schedules for an open source project should never be set in stone. Frankly the desire to hit a release date has lead to some pretty horrible Fedora releases in the past (many projects for that matter).

    • Daniel

      This is the reason why I like Fedora Linux.
      Quality first, politics later..

  10. Steven Urkel

    Waiting is the right decision. Can people like me who have installed Fedora 37-Beta be affected by the OpenSSL vulnerability mentioned in this post?

    The default install configuration should be safe if we don’t tinker with SSL…?

  11. Tomasz

    Guys,
    Decision is decision. In my opinion this is right decision.
    The most important thing in IT is to save effort and time of other people.
    If SSL could generate some (unknown yet) issues with stability of the systems, it is better to postpone release than … starting with security issues.

  12. Mikael Simpson

    Gutted i’ve got my fedora 37 build all planned out.

    but glad you’ve made the right decision rather it be right.

  13. Ralf

    I expect older versions such as part of Fedora 36 to be affected as well. So a Fedora 37 with an equally broken OpenSSL release would be no worse. So just go ahead and blast that release out.

    • F35 is not affected, F36 is. It will get the patched release as soon as it’s available. The reason we’re holding off F37 is because otherwise the installers and live CDs as will have the vulnerable version forever. Depending on what the vulnerability ends up being specifically, this could be an issue for live image and cloud users, as well as hardware manufacturers that ship Fedora Linux.

      • Mr Grandpa Leslie Satenstein, Montreal,Que

        Grammar touchup
        F35 is not affected by the SSL update, however, F36 is affected and it will get the patched release as soon as it’s available. The reason we’re holding off the release of F37 is to prevent the installers and live CDs from having the vulnerable SSL version forever. Depending on what the vulnerability ends up being specifically, this could be an issue for live image and cloud users, as well as hardware manufacturers that ship Fedora Linux.

        • FeRD (Frank Dana)

          If we’re being pedantic, then in your touchup:

          s/SSL/OpenSSL/g

          SSL-the-protocol does have versions. Three of them, in fact, all of which are long since deprecated. The current version of SSL is spelled TLS 1.3.

          But the embargoed disclosure isn’t a vulnerability in the protocol. (If it were, other implementations would also be affected.) The vulnerability is in OpenSSL’s implementation.

  14. Uwe Geercken

    I have Fedora on my company laptop and also everywhere at home. So I rely on a stable and secure system. Waiting is the right decision and thank you for openly communicating with us.

  15. Giovanni Pelosi

    100% agree

  16. Michael Gruber

    One more line of thought: openssl is at the same version in F36 and F37, so people might wonder – what is the (openssl-related) risk of upgrading to F37 now?

    Individually: None! (You’re exposed either way.) And if you want to upgrade now you have everything you need: install media for RC 1.4, repos for upgrading via dnf.
    Just note that because F37 is still in freeze you might want to enable updates-testing in case there are updates in F36-stable which are not in F37-stable yet (because of the freeze and packager lapsus/impatience).

    So why not release now? Because the release determines what is in “the” install media for F37, and these will be in use for a long time, at least on those architectures for which we do not do respins. And that is why this is the right decision under the given circumstances – hats off, any colour 😉

  17. Jonathan

    I upgraded Fedora 37 maybe 10 days ago based on the release schedule, I always do like this for each release as soon as I can (my fault) but if I knew this earlier I wouldn’t even upgraded it yet.

    I guess I should wait a few days but that was out of plan for me.

    • I wouldn’t call it a mistake. You’ll get the OpenSSL fix as soon as it’s available (before the official release). I’d have upgraded already but I’ve been too busy.

    • Czarek

      It seems to me that in the long run upgrading Fedora at the end of support period is among most optimal options. You get the most important updates for upgraded software and most of the issues including extensions etc. are figured out. I’m still on F35 on my production machine and only update it manually with dnf. The inevitable thing about Linux update system is that you get most of your software updated alongside (which in most cases is desired). But things do break due to changes as the software evolves and occasionally stop working after the update. So I always make sure I have a spare day or two to recover full functionality. When upgrading Fedora version, I generally prefer to make a clean installation so I can always boot to previous one until I migrate all the preferences and make sure everything works as expected. It’s more time consuming but when you do it every other release it seems to pay off as you only install packages still in use, cleanup configurations etc. and have a lean system to rely on.

      The thing I appreciate the most about Fedora is that it supports both “LTS-like” update schedule as well as more “rolling release” style if one prefers so. I tested both and it’s convenient that you don’t have to choose different distribution to have that functionality.

  18. Thijs

    N00b sharing his views in the hope I will be corrected so that he might learn something:
    I don´t get it. Is an SSL update such a major component that it couldn’t be patched in week 2 after release? I can´t see how a good security fix would change compatibility or user experience except for edge cases. Keeping people 2 weeks longer on f36 is not more secure, is it?
    Or is it just my one-sided experience with fedora for home computers, where i can just blindly update, where beta is stable enough, and where a broke update might be easy to fix, but reinstallation is even easier?

    I am not arguing against the delay. I trust the developers and maintainers are a gazillion times more competent than me in making the right call here.

    • Peter

      Dont under estimate your competence … They seriously think that people install from iso image and never update their system, thats why its not possible to just update the package after release. also it never occured to them to release f37 just with the network installer image and just delay the full-images. and in the end they should have switched to liblessl long time ago anyway openssl is like openoffice, it just sux.

      • Plenty of people use live images for classrooms and other situations where installing the OS is not practical or possible. We don’t have a mechanism for only releasing the net install image.

        • Thijs

          Seems the right thing to do so than. Make sure the release is as good as reasonably possible, no known big issues in the iso. And for the people who can´t (or don´t want to) wait, there is always a beta.

      • Thijs

        Also don´t over estimate your competence. Always try to take into account the possibility you don´t have complete information, no matter your expertise on the topic. “They seriously think that” and “also it never occured to them” are pretty strong words, and after explanation by Ben seem untrue.
        What you say here though, was exactly what I was thinking. After an install, just update the system. What are the reasons for not updating here? But wanting a as much as possible issue free iso at launch is an intuitively very good reason, and for those who don´t want to wait, there always is the beta, that usually already is great quality.

    • Hi Thijs, Ben made a great comment here that I copied below. I think it gives a good explanation for why delay versus taking an upgrade post-release:

      “F35 is not affected, F36 is. It will get the patched release as soon as it’s available. The reason we’re holding off F37 is because otherwise the installers and live CDs as will have the vulnerable version forever. Depending on what the vulnerability ends up being specifically, this could be an issue for live image and cloud users, as well as hardware manufacturers that ship Fedora Linux.”

    • Mr Grandpa Leslie Satenstein, Montreal,Que

      Hi Thijs.
      There are some businesses that burn Fedora to rom, and others that start producing and delivering products like laptops. The cost to contact the laptop owner distributor is significant. The delay makes sense, and is a responsible decision.

  19. Carl

    Fine for me, thanks

  20. Robert

    Quality first of all, it is for quality and stability that I have chosen Fedora; with Fedora I work on it and I don’t want any nasty surprises. Right decision

  21. gianluca

    Right decision !!!
    Relax and wait
    😉

  22. Feda

    Security should always be the number one priority. Thank you for taking the time to do things the right way. You are definitely making the right call here.

  23. Fernando Rodriguez

    very good decision.

  24. Joel

    Making hasty decisions does not leave good results. Better to wait until all the bugs are fixed and we will have a safer and more reliable distro.

  25. Alex

    Tough decision, but I agree it is the best. No point in releasing official install media with a known high-severity security bug if it can be avoided.

    I’ve been trying the F37 beta in a VM and it looks really nice; so looking forward to the release!

  26. Ed Scott

    Thanks Fedora Team for doing the responsible thing. A few days wait won’t hurt any of us if this issue is as significant as your security team feels it is. Thanks also for explaining clearly the what and why of Fedora needing to arrive a little late.

  27. Ivan

    Much better to wait it out than have an vulnerable ISO floating around on the internet.

  28. A. Stauss

    I believe this was absolutely the right decision. Thanks for keeping us all in the loop! Looking forward to the release party!

  29. Joe B

    If you rush it, everyone will remember the problems. If you take your time and get it right, the delay will be forgotten to other things.

    Quality is key. Get it right guys.

  30. Thomas

    Delaying was the right decision.

  31. Ernesto Miranda

    Considero muy correcta la decisión y comparto las aprehensiones.. Esperar una semana más no es nada.. Gracias por todo el enorme trabajo desarrollado, estoy muy a gusto con Fedora 37 Beta….

  32. Phil Parsons

    Yes. You made the right decision to delay another week.

    Release dates always have a lot of pressure, so. thanks for taking a tough line
    for the good of the release.

  33. Hi Peter, Ben made a great comment here that I copied below. I think it gives a good explanation for why delay versus taking an upgrade post-release:

    “F35 is not affected, F36 is. It will get the patched release as soon as it’s available. The reason we’re holding off F37 is because otherwise the installers and live CDs as will have the vulnerable version forever. Depending on what the vulnerability ends up being specifically, this could be an issue for live image and cloud users, as well as hardware manufacturers that ship Fedora Linux.”

    Additionally, my understanding is that Fedora already uses GnuTLS in many critical places, but a dependency on OpenSSL still exists and it is significant enough to warrant a closer look.

    Of course, if you are keen and ready to get to Fedora Linux 37 right now, you can always upgrade to the Fedora Linux 37 Beta. The Beta has been available for a while and deviations from the final Fedora Linux 37 release will be minor.

  34. Being patient is, often, rewarding.

  35. Manny

    Well done guys!

  36. James

    Ben,

    as a release manager I would like to put it like this: The decision is right, because you made it. It’s your project and you know what’s best for it. Thanks for letting us know what’s going on!

    I like that you’re using btrfs now btw.
    Keep up the good work!

  37. No problem, we were waiting, the team is taking care of it!

  38. Good decision and it looks like this issue is handled perfectly by all parties involved.

    No reason to rush.

  39. Marie-Luise Orland

    One or two weeks later is not important.
    Especially as it is for fixing a vulnerability.

    I use Fedora Workstation for my Laptop at work so having a stable and safe release is more important then the newest version number.

    I mean Fedora 36 is working fine.
    So we won’t be without a good system until the release of Fedora 37.

  40. Rodney "kyran" Gladue

    I’ll take a little peek from behind the veil to say that this was the correct decision.

    Security is important.

    We take it to bleeding edge and dial it back a skosh.

  41. Well, I have no objection to getting it right before release 🙂

  42. ReD

    Solid decision —and the beta is there already, for anyone who, like me, wants to be on 37 now—.

  43. Waiting is the best decision.. I have been distro hoping too many times now.. I have chosen fedora for its stability…

    I am a student. All my work is completely done on my laptop. If something goes wrong, it would take too much time for me to get this right again (I am new to linux).. Waiting for the stable one

  44. Golan Klinger

    So we have to wait a little longer for a new release of the best distro of the best OS that is packed with new features and costs us nothing? No objection here.

    Thank you!

  45. Dev

    Does this mean currently whoever is using 37 beta, has those bugs in his/her installation?

    • david

      It’s probably in every distro that is using a recent OpenSSL release.

  46. david

    You absolutely made the correct decision. I appreciate that Fedora releases aren’t tied to a specific date. Fedora 36 will continue to work just fine.

  47. Degrote Walvis

    New Fedora user here but really enjoying it so far and just want to say thank you for taking security seriously.
    Can’t kick the can down the road forever, but waiting one week for a release? That’s nothing in the grand scheme of the universe.

  48. mask

    It’s a week. You definition of “very late” and my definition don’t quite match. I saw that opening and I was thinking a delay of a month or more. A week to account for a critical security vulnerability is perfectly fine. Thanks for the advance notice.

    • FeRD (Frank Dana)

      The original target date was October 25, with an early target date of October 18. November 15 (IF F37 releases then, as it still has to get through a Go/No-Go meeting before the date is confirmed) will be three weeks late, with the OpenSSL embargo costing two of those. (November 8 isn’t even being considered.)

      I absolutely think waiting was the right decision, but it means the release is far more than a week late.

  49. Stoyan

    Take your time. If that hole has the OpenSSL team that worried, then it’s worth delaying for as long as it takes to patch it properly and finish your testing.

  50. GEPLinux

    Good choice : delivering a stable & safe Fedora on time even if it is not at the scheduled time makes Fedora trustworthy ( as usual ).
    ( So different from the bad choice that Manjaro made to deliver at the scheduled time a non stable solution )

    Waiting impatiently for the Fedora 37

  51. Peter Shearer

    No rush, F36 works great.

  52. At least one place in industry puts quality logic and stability ahead of dates

  53. Arjan Hulsebos

    I don’t know, it’s not that the world would be more vulnerable if you shipped F37 on time, and patch it when openssl produced its patch. Unpatched F37 would be just as vulnerable as F36. The only justification I can come up with for delaying the release is that you expect major changes in the openssl code base, and you need more time to get that in. Otherwise, I don’t think it matters.

  54. Josep Alacid

    There’s one phrase I like a lot from English language:
    “Better be safe than sorry”.

  55. Expandable Folders

    Can you put some manpower into restoring Exapandable Folders In List View please.

    Thank you.

    • FeRD (Frank Dana)

      Wait, does that not work in F37 Nautilus? If so, I’ll skip upgrading at all! Thanks for the warning. (Also, this is really something you should be addressing to the GNOME devs.)

    • FeRD (Frank Dana)

      The loss of expandable folders is a complete dealbreaker for me, I’m afraid.

      But in the end, instead of just NOT upgrading, I’ve decided to build Nautilus from Fedora 36 (42.2) as a package for Fedora 37. I’ve backported the thumbnail API change to make it GNOME 43 compatible, and also rebuilt the major extension packages in F37 to be compatible with the older libnautilus-extension version.

      If anyone else would also like to use Nautilus 42 in Fedora 37, it lives in COPR as ferdnyc/nautilus42. To use:

      sudo dnf copr enable ferdnyc/nautilus42
      # To swap out the main package(s)
      sudo dnf install nautilus42 nautilus42-extensions nautilus42-devel --allowerasing
      # To restore any extensions you may need,
      # as the previous step would've uninstalled them
      sudo dnf install file-roller-nautilus42
      sudo dnf install seahorse-nautilus42
      sudo dnf install gnome-terminal-nautilus42

      I’ve also tested, and the latest version of nautilus-dropbox for whatever Fedora release they’ve kept up to (I think 35, currently?) can be installed and work with nautilus42-extensions on F37.

      I’ll try to find more extension packages, and build compatible versions of them as I go. I’ll also do my best to keep up with new builds of the parent packages. My current expectation is that I’ll keep this maintained until such time as there’s an API break I can’t figure out how to work around, or Nautilus 43+ regains expandable folders.

      (The real twist of the knife is, dconf/GSettings in F37 still has an org.gnome.nautilus.list-view.use-tree-view setting bit. It just does nothing if you enable it!)

    • FeRD (Frank Dana)

      Re: My previous comment, if the second step of the install gives you grief about wanting to uninstall all of gnome-terminal or file-roller because the Nautilus extension is being uninstalled, just include the updated extension version in the same command and that should fix it. I built them all with Provides: for the standard package, so they should work as swap-in replacements.

      IOW, to minimize impact, consider doing it all in one go (leaving out any packages you didn’t have installed BEFORE running this):

      # One install command to rule them all
      sudo dnf install nautilus42 nautilus42-extensions \
        nautilus42-devel gnome-terminal-nautilus42 \
        file-roller-nautilus42 seahorse-nautilus42 \
        --allowerasing
      • Since you stated that you wished your previous comment could be edited, I went ahead and merged the two comments. 🙂 Let me know if I got it wrong.

  56. Joachim

    Hey guys,
    the new release is worth all the wait. I am glad that you made this decision.

    I am glad to be part of this project!

    Cheers,
    Joachim

  57. Kevin G

    My Birthday is the 8th, damn!! What a present it would have been. But thank you Fedora group, understood!!

  58. Truls Gulbrandssen

    I am running F37 Beta on one machine and F36 on another and notice that F36 updates to newer versions of various packages than F37 Beta. For instance the Kernel version on F36 is 6.0.5-200 and F37 Beta 5.19.16-300 and for Firefox 106.0.1 and 105.0.2 respectively.

    Is there also a freeze on the package update for F37 Beta?

  59. rawfox

    That was the right decision !
    Wait and have it as stable and good as all the years before.
    Even if the changes on SSL may need futher time to bring it in, no problem.
    The Fedora team has made so freaking many good things over the years, balancing innovation, stability, actuality and freedom in an awesome user experience.
    Thaks you for your work and keep it going.
    \m/

  60. Xoro Cross

    I just installed Fedora 36 and I’m enjoying so far. I will wait for Fedora 37. It’s better to wait for an OS than to have a buggy OS.

  61. I can see the counter-argument that you should ship Fedora 37 as-is and follow up with a patched OpenSSL later (arguably no different from the situation with Fedora 36) but I totally understand your decision. A major security vulnerability is worth holding up the release schedule. If people are desperate for Fedora 37 features ASAP, they can make the conscious decision to run Fedora 37 Beta in the meantime. Thanks for being responsible with the OS that many people depend on 🙂

  62. Heliosstyx

    It seems that the old Heartbleed bug is (2014) back now and the open source idea is a little bit damaged concerning their arguments against the closed-software industry: open source–> every one could see the code have not lead to more secure products like OpenSSL. Some people does not want believe that software is always a human product with all it flaws etc. In my opinion it’s time to invest more time into code-inspection and heavy testing in both “worlds” (open source and non open source).

  63. Jeffrey Lanham

    Even though I’ve been waiting for the new release, it was absolutely the best decision y’all could’ve done.

  64. jesse

    Good decision on waiting! As a user, I rather have secured release than a new release with a security issue. An an IT Pro, I admire you all making the right decision as a team. I am sure not everyone walked way with what they wanted but they all had a voice and the team decided. Beautiful!

  65. Big Dogg

    I like using Fedora 36 so far. I’m using it with KDE Plasma X11. It’s better to wait than to hurry into an OS update.

  66. Milton Bos

    Thank you for the excellent explanation. Delays are part of any project, and there is always an unforeseen issue that can’t be handled without causing future problems. This appears to be one of them. Thanks again.

  67. Oleg

    Suspending for the sake of safety is a very correct decision.

  68. Stephen Fischer

    The bitterness of poor quality far outlives the sweetness of meeting the deadline.

  69. Andre Gompel

    Fedora 36 MATE was rock solid. (I also had LxQt installed).
    Upgraded to the BETA Fedora 37 (October 31st):

    Since experienced a couple of complete hangups.
    GNOME was installed too, is it an unexpected “feature”?
    LxQt, (1.1) now many years )4+) in the making is still a disappointment, and is no match to MATE desktop: clumsy, incomplete. This is unfortunate, because it seemed promising.
    Since F36 is very robust (my experience), delaying the release until F37 is as good as it can be makes lots of sense.
    Thanks to all who “make it happen… again”. (“Honni soit qui mal y pense”)

    A.G

    • FeRD (Frank Dana)

      “GNOME was installed too, is it an unexpected “feature”?

      Not necessarily, it’s probably an expected feature of the standard Workstation build of F37 [Beta]. How did you upgrade your F36 install to F37 Beta?

      Presumably, your system was installed from the Fedora 36 MATE-Compiz LiveCD. That’s a Fedora Spin, an alternative distribution that’s configured with a customized environment and default set of applications. The primary/official Fedora Workstation configuration installs with GNOME Shell as the desktop environment.

      So, depending how you upgraded to F37 Beta, you may have pulled in the standard Workstation configuration rather than the MATE-Compiz Spin customizations. (Which wouldn’t uninstall the Spin packages, you’d just possibly get the default package set added in alongside them during the upgrade. Which sounds like what happened.)

      There is an F37 Beta LiveCD for the MATE-Compiz spin, which would be the upgrade path with the best chances of preserving your Spin configuration.

      I believe that

      dnf system-upgrade

      from a Spin install is supposed to respect the existing installed package set, for the most part, but I’m not certain about that. (I haven’t been able to find any documentation one way or the other, after a quick check.)

      I’d be much less confident trusting GNOME Software to upgrade a Spin install without breaking (read: “de-Spinning”) it.

  70. Careca Voador

    This is precisely the reason why I chose Fedora. Do not sacrifice quality for speed.

  71. Big Dogg

    I’m enjoying Fedora 36 on my Dell Inspiron 3502 2020 laptop. I didn’t have to reinstall my video and audio drivers. I downloaded from Windows 11.

  72. Jeremy Andrews

    OpenSSL seems to have a lot of issues. Perhaps in the future it might be worth going with a different SSL implementation if possible? Surely that’s not the only choice available.

    I mean, it kind of seems like they tend to introduce a lot of vulnerabilities that then have to be patched quickly, and it throws everyone’s schedules off. Fedora doesn’t seem to be the only project affected in this way, and it also isn’t the first time something like this has happened with OpenSSL.

    In my eyes, it doesn’t make me wary of Fedora itself, but it does have me looking askance at that particular package and wondering if we should be trusting them with our security at all.

    • FeRD (Frank Dana)

      “OpenSSL seems to have a lot of issues.”

      Not really. In fact it has relatively few, especially for such a critical package with so much depending on it. (I mean that both in a package-interconnectedness sense, and also philosophically/existentially).

      OpenSSL bugs tend to be higher-profile, and generate more column-inches of coverage, because there are so many eyes on the project and so many systems depending on it.

      It would be fairer to say that there are no small issues in OpenSSL, because even the most inconsequential, edge-case vulnerability (exactly like this one turned out to be, ultimately) will get blown out of proportion and treated like a 5-alarm blaze in a fireworks factory.

      But having a high-profile, critical codebase with a lot of eyes on it isn’t an indictment of the code! We can’t let it be, because that would be deeply counterproductive.

      Switching to a different SSL implementation (not to imply there are all that many to choose from) would just mean we’d be switching one collection of potential vulnerabilities (a well-known, repeatedly-scrutinized, intensively tested and re-tested one) for a different collection of potential vulnerabilities that haven’t yet been found.

      In a less prominent implementation, undiscovered vulnerabilities may be lurking for months, years, or decades before enough attention is paid to finally discover, report and disclose them.

      At which point, someone would probably make an argument something like this: The project’s finite resources would be better spent if, instead of patching holes in some obscure SSL codebase, we just replaced it with the industry-standard OpenSSL that every other distro uses.

      And ’round and ’round we go.

      P.S> (Any piece of software is mainly just a collection of undiscovered bugs.)

  73. Ali Jawad

    Sometimes slowing down yields an opportunity to speed up later with less risk and better footing in the long run.

    This is the right call to delay a bit. Integrity is important.

  74. Mr Grandpa Leslie Satenstein, Montreal,Que

    Are we end-users going to have access to Workstation-live-beta.iso or the Everything.beta.iso before the golive?

    I aleady have the KDE beta and cinnamon beta versions of Fedora spins with kernel 6.0.x and some updates beyond the 5.19 kernel version for these to interfaces.

  75. Charles

    Despite the unfortunate delay, I appreciate the openness and clear reason provided for this delay. Looking forward to the great product in mid-Nov!

  76. Jose Gregorio Jimenez Sanchez

    I see that Nov 15 very far away, I will continue drinking coffee in the sweet wait. friends I am from Venezuela I want to help with translations into Spanish where I have to go.

    Thank you

  77. Dale Raby

    I normally don’t update until I am three generations behind… so there is no rush.

  78. Joe

    I absolutely understand the decision and actually this is one of the good things of the open source world. There is no preasure from short sighted business clowns pressing the engineers into hasty and bad decisions 😉

  79. Nkouonlack Niels

    please fedora file manager is refusing to open and also settings and some other system apps
    i need some help with this i just switched to linux from windows and i dont want to lose all my precious documents so please does anyone knows what could cause this bug

    contact at whatsapp : +237698771786

    • Nkouonlack, this is probably not the best place to ask for assistance. A better location might be:
      https://ask.fedoraproject.org/
      Make certain you include the release version and display manager you are using in your request for assistance.
      Click on [+ New Topic] to get started.

  80. Dwight

    Looking forward to the Fedora Linux 37 release on November 15th. Thanks so much to the Fedora team for all your work and a wonderful distro.

  81. Dj Anthony

    Not a problem, this is a good decision and it is even better that you let us know. Thank you for this information, and great work building this awesome distro!

  82. As I’ve been seeing many threads on Fedora 37 being delayed, with some people surprised or disappointed, it just got me wondering.

    Is there anyone else that is happy about the delay?

    I think when I first started using Fedora, I ran into an issue (fresh install, 240GB drive was 100% full after installation, I couldn’t even login) and my friend’s teacher at the time, had said that he never updates an OS when it first comes out and waits a few months.

    That turned me into a conservative Fedora upgrader. Seems funny to group conservative and Fedora in the same sentence, when most of the time in a Fedora thread at least one person will describe it as bleeding edge.

    Anyway, say, I had Fedora 16, I’d wait until a month after Fedora 18 came out before upgrading and continued on that path. So with the longer the delay the longer I could keep using the older version.

    • Mr Grandpa Leslie Satenstein, Montreal,Que

      As a diehard Fedora user, I usually look forward to the betas for the next version. I do have a desktop with multiple disks therein, so I have dedicated one disk for the next releases of Fedora, or occasionally, some other distribution.

      For the record, the current Fedora beta is, for what I do with it, 100% correct. I do use it to connect to multiple internet websites, and thus far, I have not experienced any issues.
      My system is just humming along, no Fedora software buglets to gripe about after one month with the beta installation and the beta being my only daily use system.

  83. Jaack McMahon

    Is is called CRITICAL for a great reason. Fix bad problem(s) that may make systems exploitable. I can and will wait for fixes before release of 37.
    THANKS

  84. Saga

    Is there any plan to make something like pop os nvidia optmus switcher on fedora ? or even something like ubuntu (pre set nvidia )?

  85. Eddie G. O'Connor Jr.

    Just curious, but are there any videos of the Release Party?…I missed it due to having to travel, and I know it was 11/4/2022 & 11/5/2022, but I can’t find vids or snippets of it anywhere!? Doe anyone know of any clips or coverage of the release party? if so…can you provide the links? Thanks!

  86. Fedora

    They are a new fedora user, I installed a huawei model: KLVD-WDH9 on my laptop, but it has no audio, I tried everything to find a solution, but I did not succeed, I hope you can help me.

  87. Jose Gregorio Jimenez Sanchez

    I had been wanting to migrate my system to Fedora for some time. I am developing to further open my range of services here in Venezuela.

  88. LiuYan

    Is it possible that Fedora change it’s releasing strategy to other one, say, “When it’s ready” strategy? This could avoid Fedora been known as “The Fedora distribution is infamous for delaying new releases”

    • Marko

      I think it’s good to have targets set and nothing worg if those are pushed back for good reasons.

  89. Nick

    I’m using Debian and Fedora for my computers. They’re both great!

  90. Christoph

    Quality and safety come first, that’s why I chose Fedora.
    I have to wait until my Extensions get updated to GNOME 43 anyway

  91. Cory Hilliard

    People have asked me why I switched from Windows to Linux. It’s because of the quality over quantity attitude that keeps our lives bug-free and eye-twitch-free. Thank you for holding the release until ready.

  92. Rafi

    Excellent decision.. actually, it’s a no-brainer decision. It is only the “stable” relese that is being delayed.. if you really need F37 now… upgrade to the beta. What is the hardship here?

  93. The last critical OpenSSL bug was Heartbleed. That alone should be reason enough to delay release. Having it patched beforehand is a good idea and I believe it is the right call.

  94. Thoughtful and wise decision to delay the launch … I always despise the likes of Apple, Google releasing their phones with mensrea, and wait for their users to “discover” the bugs for them, and then hurriedly release an update to fix the latter. And yet all the bugs are within their phones/software. It is almost like a non-stress-tested product goes out, whilst the team continues to work on the fixes, and when the users uncover the bugs, the fixes appears virtually the next day!

    In the Fedora 37 case, this is something out of the realm of Fedora’s reach and control, and they have chosen to wait for this to be fixed before releasing the patched version – no better definition of Stable release! On the flip side, releasing a known-exploitable Fedora, and risking users to install this on a system without frequent internet connection and/or update cycle and a potentially irreversible reputation-tarnishing and community-impacting threats are in the wild.

    Good call Fedora and Red Hat team!

  95. Colin Sare-Soar

    I’m not really bothered with the delay, I just want a system that works well.
    I had Fedora35 as a secondary Linux system, to check it out and experiment. Many years back I used Fedora exclusively but then switched to Mint (shock horror!)
    F35 has been working OK and I have kept it pretty well updated until dnfdragora stopped working for some reason. I did try F36 but it just didn’t work for me. I had all sorts of problems, so I ditched it and went back to F35 and decided to wait until F37 before upgrading again.
    I have been running the F37 beta from a stick and it seems to work pretty well but I can be patient for another week……
    I ran the update on my F35 system a few days back and it downloaded a ton of updates. After it finished, it was unusable, network connection but no internet and various other problems. So I went back with a Timeshift backup and it all works fine again. I will do a completely fresh install once F37 is released.

  96. Robert Dowling

    Thank you and thanks for the thoughtful update. I love the work you’re doing.

  97. Brian

    You made the right call. I’d much rather have a safe, stable release.

    Thank you for your time and hard work!

  98. John

    I have had bug in pass releases that really took my Fedora down, really appreciate you waiting on known fixes. I am still in 32 because of issues w updates extra.

    • Eric L.

      You’re taking an “extra” risk (excuse the pun) by staying on a release which isn’t supported since so long, this means that you haven’t had security updates since around 2 years.

  99. The new release must be a safe and stable.

  100. Dave Hugh

    Glad you waited, quality trumps timeliness in this case. The beta is so rock solid (using on my laptop and DIY home internet router) not sure it matters!

  101. Tristan

    I work as a mechanic by trade and I won’t ship my car out that I’m fixing until it’s fixed; why wouldn’t software creators do the same.

    Personally, I appreciate the delay.

  102. Aly

    Thank you for your hard work sir we will wait until it will be fixed.

  103. Ho3in

    Hello fedora team, plz fix the Activities search issue until release time. it’s duplicates first Key, for exmaple searching for qbitorent it go QQbitorent.

  104. Steven Urkel

    I have installed Fedora 37 Beta and updated it via dnf, will I have to reinstall Fedora 37 on release using ISO image or will ”

    sudo dnf upgrade

    ” suffice?

  105. So aguardando nova versao sair, quero logo atualizar!

  106. Bruno Santos

    Just waiting for new version to come out, I want to update soon!

  107. Gnanesh

    To all the wonderful folks at Fedora who generate the awesome distro – as everyone says, it’s a great decision that all release teams on any project should follow, especially when it’s concerning with security.

    Waiting eagerly for a day more to get the F37!

    Fedora rocks!

  108. Igor

    Can you please tell me exactly what time Fedora 37 will be released? At what time?

  109. Rigol

    Thank you! Nice work.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions